Re: [Doh] [Ext] Re: Associating a DoH server with a resolver

Paul Hoffman <paul.hoffman@icann.org> Wed, 24 October 2018 16:11 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7722412F18C for <doh@ietfa.amsl.com>; Wed, 24 Oct 2018 09:11:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kp38upT_eW4Q for <doh@ietfa.amsl.com>; Wed, 24 Oct 2018 09:11:14 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68A721286E7 for <doh@ietf.org>; Wed, 24 Oct 2018 09:11:14 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 24 Oct 2018 09:11:12 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Wed, 24 Oct 2018 09:11:11 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Martin Thomson <martin.thomson@gmail.com>
CC: DoH WG <doh@ietf.org>
Thread-Topic: [Doh] [Ext] Re: Associating a DoH server with a resolver
Thread-Index: AQHUazgJ4S1vkhYJeE6Wms1zHwXRAqUvB0MA
Date: Wed, 24 Oct 2018 16:11:10 +0000
Message-ID: <D51AB5D6-CCAD-4C2D-9FE3-8906CD39F129@icann.org>
References: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org> <CABkgnnV2YMtcdOyMfE2NMH4L1ZbK4dcp1KQt3FttCfz-nfQd6A@mail.gmail.com> <C82FBB08-8DAA-4C50-8934-576596C2532F@icann.org> <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com>
In-Reply-To: <CABkgnnVgZBp7bqv9u9iBbZAojQqbYAGWG54Ta5JKq_ycvaux1g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; boundary="Apple-Mail=_6C60B534-4781-4BD3-A545-0A6D72E597AA"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/lY3DTtUswZuaqUqahLiodd8aSbs>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 16:11:16 -0000

On Oct 23, 2018, at 6:22 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On Wed, Oct 24, 2018 at 12:12 PM Paul Hoffman <paul.hoffman@icann.org> wrote:
>> There is no way for an application like a browser to send a query through the OS for anything other than address records. That is, gethostbyname() and its equivalents only pass back address records. Even if an application had its own DNS stack to make queries for other RRtypes, it doesn't have any way to know where to send them to.
> 
> Well, resolver-addresses.arpa./IN/A(AAA) might still be useful for
> that then.  That's not ideal, but I believe that there are ways to
> make queries for other record types that are more available now than
> perhaps there were in the past (see
> https://docs.microsoft.com/en-us/windows/desktop/api/windns/nf-windns-dnsquery_a
> for example).

I certainly don't want to preclude one-step ways of getting the associated URI templates in a single step, but I also don't want to only have the ability to get associated DoH servers be limited to browsers (because web applications can't call OS APIs), nor limited to browsers that are running on OSes that support sending TXT (or TXT-like) queries. 

> 
>>> IP-based certificates [...] impossible to deploy in many cases (think of the many resolvers with 1918 addresses, for example).
>> 
>> They don't make it "impossible" by a long shot. Plenty of resolvers, even corporate resolvers, have public addresses.
> 
> True, it is probably still possible, but it's not like you can just
> use ACME to get the certificate.  That's "possible" in theory, but I'm
> looking for practicable.

You should be able to use ACME in the future to get an IP-based certificate. draft-ietf-acme-ip has been submitted to the IESG for publication.

--Paul Hoffman